The Anonymous hacker group known as AntiSec has released more than 1 million Apple device identification numbers after allegedly swiping them from the FBI.
The unique device identifier numbers, or UDIDs, were dumped on PasteBin with a lengthy message criticizing cybersecurity, praising the Syrian rebels, and calling out Gawker reporter Adrian Chen, who has jabbed at the hacker groups in the past.
The identification numbers look real, reported Forbes’ Andy Greenberg, who downloaded the data and found that it included character strings resembling UDIDs. These identification numbers are regularly used by applications run on Apple devices as a way for users to log in. While they are a quick and easy way for users to interact with software often unknowingly, the UDIDs are extremely vulnerable, reported Aldo Cortesi, a researcher who has published numerous studies on the abuse of UDID since May 2011.
“In a sample of 94 apps I tested, 74% silently sent the UDID to one or more servers on the Internet, often without encryption,” Cortesi wrote in September 2011.
The UDIDs were allegedly stolen from a FBI laptop used by special agent Christopher K. Stangl of New York’s Evidence Response Team. AntiSec claims that a Dell notebook used by Stangl was hacked during the second week of March, including a file named “NCFTA_iOS_devices_intel.csv” said to contain more than 12 million UDIDs, name of devices, type of device, Apple Push Notification Service tokens, ZIP codes, cell phone numbers, and addresses.
According to his LinkedIn page, Stangl has worked in New York for the FBI since 2003, BetaBeat reported.
“so the big question: why [are we] exposing this personal data? well we have learnt it seems quite clear nobody pays attention if you just come and say ‘hey, FBI is using your device details and info and who the fuck knows what the hell are they experimenting with that,’” AntiSec wrote on PasteBin. “but well, whatever, at least we tried and eventually, looking at the massive number of devices concerned, someone should care about it.”
One person who cares is Cortesi, who called this leak the “tip of the iceberg” in a post Tuesday.
“Negotiating disclosure and trying to convince companies to fix their problems has taken literally months of my time, so I’ve stopped publishing on this issue for the moment. It’s disheartening to say it, but some of the companies mentioned in my posts still have unfixed problems (they were all notified well in advance of any publication),” Cortesi wrote. “I’ve often been asked ‘What’s the worst that can happen?’. My response was always that the worst case scenario would be if a large database of UDIDs leaked… and here we are.”
In April, Apple began rejecting applications that used the UDID.
Update: All Things Digital reports that the FBI refuted AntiSec’s claims with the following statement.
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
Photo by Newtown grafitti/Flickr